I'm working up a documentation patch to make this spelled out more explicitly but I wonder if there isn't more that should be done.
Currently ``Model.full_clean`` is not called automatically when saving a model. This is not a big deal when manually constructing your models as you can just do: m = MyModel(field=foo) m.full_clean() m.save() However there is no easy way to get a similar behavior when using ``MyModel.objects.create`` or ``MyModel.objects.get_or_create``. The documentation currently mentions that get_or_create is useful in data import scripts, but also mentions using it in views. My patches will try to make it more explicit that it's unsafe to assume that the constraints in the field (e.g. URLField) will be enforced but I wonder if maybe it would make sense to either make running ``full_clean`` the default or provide a way for people to specify that it should be ran. It appears that it's not run by default due to backwards compatibility: https://code.djangoproject.com/changeset/12103 . Currently I would assume that both because of the lack of warning in the documentation, and because it isn't obvious behavior (e.g. an URLField that accepts unsafe input, such as ``javascript:alert("xss");``), that more than one Django powered site is vulnerable to attacks such as an XSS where they are using ``create`` or ``get_or_create`` manually without passing through a form. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.